Return-Path: <sentto-279987-3882-1005840960-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 15 Nov 2001 08:18:08 -0800 (PST) Received: (qmail 2239 invoked by uid 510); 15 Nov 2001 16:14:48 -0000 Received: from n31.groups.yahoo.com (216.115.96.81) by all.net with SMTP; 15 Nov 2001 16:14:48 -0000 X-eGroups-Return: sentto-279987-3882-1005840960-fc=all.net@returns.groups.yahoo.com Received: from [10.1.1.221] by n31.groups.yahoo.com with NNFMP; 15 Nov 2001 16:16:00 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_0_1); 15 Nov 2001 16:16:00 -0000 Received: (qmail 1913 invoked from network); 15 Nov 2001 16:15:59 -0000 Received: from unknown (216.115.97.167) by m3.grp.snv.yahoo.com with QMQP; 15 Nov 2001 16:15:59 -0000 Received: from unknown (HELO red.all.net) (65.0.156.78) by mta1.grp.snv.yahoo.com with SMTP; 15 Nov 2001 16:15:59 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id fAFGGjZ25952 for iwar@onelist.com; Thu, 15 Nov 2001 08:16:45 -0800 Message-Id: <200111151616.fAFGGjZ25952@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Thu, 15 Nov 2001 08:16:45 -0800 (PST) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Virus.Nightmare.Scenarios] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Virus Nightmare Scenarios By Shane Coursen, Business Week, 11/14/2001 <a href="http://www.businessweek.com/technology/content/nov2001/tc20011113_2935.htm">http://www.businessweek.com/technology/content/nov2001/tc20011113_2935.htm> Sometimes virus writers draw inspiration from researchers' bad dreams "Nightmare sessions" are anything but scary to most antivirus researchers: In fact, they might be the most fun an antivirus researcher can have. The idea is to get together with other researcher-friends and discuss viruses and security exploits that do not yet exist. The nice part about it is at the end of the day, researchers aren't under the gun to find solutions within a few hours. Nightmare sessions are usually closed to the general public -- naturally the last thing an antivirus researcher would want is for details from his or her theoretical nightmare to find their way to the general public. We know that somewhere exists an individual that would be more than happy to try and convert the theory into reality. And yet some of the worst possible nightmare theories have filtered out into the world, and some of the most destructive viruses seem to have been inspired by ideas virus researchers discussed in too public of a manner. In a nightmare session in the early nineties, virus researchers imagined a virus that would encrypt a victim's data, and hide the key in the loader program in the computer's Master Boot Record (MBR). Back then, a common manual fix to viruses was to rewrite the loader, which, in this particular nightmare, would cause the hapless victim to inadvertently destroy their only hope of salvaging their files. It wasn't long after this nightmare session that the One_Half virus was spotted in the wild. It encrypted half the cylinders on a target's hard drive, and wrote the key into the loader. Someone had taken a basic idea and developed it in to a very dangerous reality. An otherwise innocuous virus type (most boot viruses at the time were benign) became something far from run-of-the-mill, and from that day on, it was no longer okay to manually rewrite the MBR to rid a computer of a virus. THE THREE-YEAR RULE. The cycle has repeated again and again. Macro virus were theorized in 1993, and in 1996, they came along. By then, VBS viruses were the stuff of nightmare sessions, and in 1999 someone made it real with VBS/Freelink. Then it was malicious Active-X controls, which we're now beginning to see implemented, though not yet in the wild. The trend of recent viruses to compromise data -- which is far worse than merely destroying it -- also follows this path. Code Red evolved from benign to sinister in less than a week. The first version simply took advantage of a known exploit; the second incarnation dropped a backdoor. While not directly damaging, the backdoor opened up computers to untold amounts of potential harm. Possibly more damaging are the indirect results of such a large-scale outbreak. No longer are their necessarily tangible files that one may target for detection. Instead, huge amounts of data that can not be considered a virus are bringing down routers. Instead of efficiently directing data to where it needs to go, we find only delays. To add insult to injury, those delays then cause further problems for time-critical operations. In the basic terms, some of today's viruses have the ability to produce a snowball effect that is nearly impossible to predict. SirCam and Nimda also seemed to be inspired by ideas virus fighters have discussed with one another in too public of a manner. Overall, the average time between a nightmare session and a virus coming out in the real world is three years What's scary, and hopeful, about all this is that only a very few of our nightmare scenarios have become reality -- you wouldn't believe some of the ideas we've dreamed up. I asked Joe Wells, longtime antivirus researcher, why so few of the nightmares discussed in public have been implemented. Wells maintains that "virus writers usually do not have the same breadth of knowledge as an antivirus researcher." It is a very good point. The average virus writer has not made a career of analyzing malicious code. Many have difficulties in making their creation function as a simple virus, let alone adorning it with revolutionary techniques. However, it is not always in the best interest to divulge too much detail. What starts out as an honorable attempt to make software more secure might end up in disaster. All I can ask of those who believe in full disclosure is to be very aware of the composition of your audience. Shane Coursen has worked in the field of antivirus research since 1992. He is currently CEO of WildList Organization International. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Universal Inkjet Refill Kit $29.95 Refill any ink cartridge for less! Includes black and color ink. http://us.click.yahoo.com/bAmslD/MkNDAA/ySSFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:59 PST